the audit chairs auxiliary internal auditors

  • Date:01 Nov 2005
  • Type:CompanyDirectorMagazine

The audit chair’s auxiliary – internal auditors


By Ali Cromie*


Board audit committees are turning to internal auditors for assurance that internal control systems meet the higher standard of accountability demanded of organisations operating in today’s rigorous governance environment.
Director doyen, Jim Kennedy, said compliance has become overwhelming and requires major changes to how companies operate.
“There’s no choice. Effective internal control systems – not rubber stamps– must be in place,” he said
He was a keynote speaker at the AICD Directors’ Briefing What an audit committee and the head of internal audit now expect of each other held in Sydney in October. His directorships include Qantas, Suncorp Metway and the Australian Stock Exchange.
The corporate and regulatory environment makes him, he said, “very puzzled and concerned” how he can do all that is expected of him as a director, and as chairman of two audit committees and a member of another.
 “As I see it, there is really only one practical solution – and that is to empower the internal audit function to take a greatly enhanced and more independent role.” No more is the internal auditor ‘a support’ for the CFO.”
The head of internal audit requires a “deep understanding” of the business of an organisation, its staff and culture. He or she, needs to know the key issues management are dealing with, and be engaged with what is going on.
“Personally I think the head of internal audit should either be on the executive committee or very close to it.”

Board audit committee expectations
Kennedy said the board audit committee expects internal audit to have:
• a clear understanding that its “primary purpose” is to provide clear, independent and objective assurance across the company’s internal environment;
• to add value by recommending improvements to the internal control environment; and
• to raise issues with the audit committee chair when management has not dealt with an issue appropriately.
“The audit chair also wants to know what management is doing all the time and to know that management is aware of significant risks and has them under control.”

Internal auditor as chair confidant
Gary Anderson, managing director of risk consultants Protiviti, said outside scrutiny of board audit committees means that audit committees requires assurance that reporting systems have “substance”.
This has put a lot of pressure on management and, in particular, the internal auditors.
He says that five years ago the board’s expectation of internal audit was “extremely low”. Most internal audit functions did not report to the audit committee, the appointment and removal of chief internal auditors rarely involved the board’s audit chair and the internal audit function was typically led by a middle manager.
Nowadays the chief internal auditor is a key adviser to audit committees and Anderson expects the internal auditor to become a critical confidant to audit committee chairs.
Anderson cautions committees about over relying on their internal auditors: surveys show limits on internal auditors pushing “bad news upwards” to the board.

Inside the black box
Andrew Dix, Telstra director risk management and assurance, said he represents the changing face of the internal audit profession. He moved from line management to head of internal audit 15 months ago, a poacher turned gamekeeper.
Internal audit is not “a mysterious black box”, rather it is an integral function for providing assurance to the board audit committee according to Dix.
 “The one thing I’ve discovered in my time as an internal auditor is that the ability to really find out what is going on in an organisation is the most critical skill an internal auditor can have, and through that [skill], provide assurance to the board.”

Serving two masters
At Telstra, Dix said he puts a lot of pressure on his internal audit team to develop strong relationships with line managers, believing that close relationships are essential to effective internal audit performance.
He cautions however that internal auditors to be “very careful” not to “go feral” and work for “the other side”.
“There is potentially a conflict over whether you’re working for line management or for the board audit committee,’’ he said.
An emerging issue for internal auditors is their role in risk management.
“We do have a role setting and monitoring the framework for the organisation but we cannot be involved in setting risk appetites, that is line management’s responsibility,” Dix said.
“You have to be careful as an internal auditor not to usurp or take over the responsibility of line management for their problems.”

*Ali Cromie is a learning facilitator for AICD education programs and principal of Rigour Group, specialising in employment screening of senior people to reduce organisation risk.